List and filter blobs in secrets check
What does this MR do and why?
This merge request updates the secrets push check introduced in several earlier merge requests:
To list and filter blobs for new git pushes so that:
- they are below a bytes limit (i.e.
1 megabyteinitially as planned). - quarantine directory existence is honored (read more).
-
binaryblobs are filtered out.
Note: the merge request is part of a list of related merge requests, which were created iteratively to ensure ease of review and focused scope. Therefore, it shouldn't be reviewed in isolation from the rest of those merge requests.
Resolves #427044 (closed).
Related Merge Requests
| Step | Merge Request | Description |
|---|---|---|
| 5 | This one. | Updates the check to list and filter blobs of new git-push operations. |
| 6 | !137812 (merged) | Invokes gitlab-secret_detection gem to scan blobs filtered. |
| 7 | !138790 (merged) | Updates the check to add details of secrets detected (e.g. file path/commit sha) |
| 8 | !138831 (merged) | Updates the check to introduce a bypass mechanism via commit special flag. |
Feature flag + instance-level configuration
Please note the changes are behind a feature flag and an application setting too. It's not available to end users at the moment.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Ahmed Hemdan